Last week the InstaAgent developer “Turker Bayram” released a new app for the Android and iOS AppStore, after his (malicious) app “InstaAgent” was pulled by Apple&Google from their AppStores. I was astonished that Apple and Google didn’t have a closer look at his new application. One should assume a developer who already published a malicious app, should be watched more closely. His new app is called “Who Viewed Me on Instagram” (Android Version 50K – 100K downloads), and “InstaCare – Who cares with me?” (iOS Version top grossing app in Germany Category: Entertainment). The app promises the same functionality as InstaAgent did:

“- This app can show you up to most recent 100 list for your Instagram profile.

Again, I’ve analysed the app, to find out if the app steals the Instagram username password again . At first glance it did not seem to, but there is one suspect HTTPS network packed:

There is a HTTPS body value called “hash”. The data is base64 encoded and AES encrypted. To find the key for the AES decrypted data, I “decompiled” the Android version of InstaCare. And this is how the encryption algorithm looks like:

PART C is used to inject JS in the Instagram login page, to store the username and the password in a string, to send it to his server.

For the AES key generation he uses a combination of an UDID and a ID (given from the server) for example:

uuid=16cdeef358a33ace and id=221163.0c5 than they key looks like: 221163.0c516cdeef358a33ace //He sends this both values also to his server(!)

He “encrypts” the AES key with PART B. After the encryption the key looks like: “dfoykykkbgljjzrt” . After that he “encrypts” the string from PART C (this string contains the Instagram username and password from the user and other meta informations) with the algorithm of PART B. To make the encryption even harder he encrypts this string again with the AES Key that he generated from the UDID and ID. After this procedure he sends the encrypted string (base64 encoded) , the UDID and the ID to his server (https://api-2.instadetect.com).

With the ID and the UDID from the user he is able to decrypt the Instagram password and username later again. A working PoC (that decrypts the string) written in Java can be found here.

He probably uses a other encryption key combination for the iOS version, therefore I am currently not able the decrypt it. But if you ask me, its most likely that the iOS version also steals the Instagram password & username of the user. This would be the second time that this developer published malware into the iOS AppStore! Just as “InstaAgent” , the new app “InstaCare” is again in the iOS top-charts with thousands of downloads! Again Apple and Google did not manage to keep their AppStores free of malware. Apple and Google should remove these apps, as soon as possible!Apple and Google let a malicious App in their stores from the SAME developer, for the second time. 😿😂